关联漏洞
标题:Vitest 路径遍历漏洞 (CVE-2025-24963)Description:Vitest是Vitest开源的一个 Vite 支持的下一代测试框架。 Vitest存在路径遍历漏洞,该漏洞源于浏览器模式HTTP服务器上的__screenshot-error处理程序可响应文件系统上的任何文件。
Description
Vitest is a testing framework powered by Vite. The `__screenshot-error` handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by `browser.api.host- true`, an attacker can send a request to that handler from remote to get the content of arbitrary files.This `__screenshot-error` handler on the browser mode HTTP server responds any file on the file system. This code was added by commit `2d62051`. Users explicitly exposing the browser mode server to the network by `browser.api.host- true` may get any files exposed. This issue has been addressed in versions 2.1.9 and 3.0.4. Users are advised to upgrade. There are no known workarounds for this vulnerability.
文件快照
id: CVE-2025-24963
info:
name: Vitest Browser Mode - Local File Read
author: iamnoooob,rootxhar
...
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。